From owner-freebsd-questions Wed Mar 24 14:58:12 1999 Delivered-To: freebsd-questions@freebsd.org Received: from allegro.lemis.com (allegro.lemis.com [192.109.197.134]) by hub.freebsd.org (Postfix) with ESMTP id B903914D72 for ; Wed, 24 Mar 1999 14:58:07 -0800 (PST) (envelope-from grog@freebie.lemis.com) Received: from freebie.lemis.com (freebie.lemis.com [192.109.197.137]) by allegro.lemis.com (8.9.1/8.9.0) with ESMTP id JAA29251; Thu, 25 Mar 1999 09:27:46 +1030 (CST) Received: (from grog@localhost) by freebie.lemis.com (8.9.3/8.9.0) id JAA46876; Thu, 25 Mar 1999 09:27:45 +1030 (CST) Message-ID: <19990325092745.O425@lemis.com> Date: Thu, 25 Mar 1999 09:27:45 +1030 From: Greg Lehey To: Sal , freebsd-questions@FreeBSD.ORG Subject: Re: IP forging in Emails? References: <004e01be7647$a9f342c0$ddcdd6ce@salazar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <004e01be7647$a9f342c0$ddcdd6ce@salazar>; from Sal on Wed, Mar 24, 1999 at 04:42:50PM -0600 WWW-Home-Page: http://www.lemis.com/~grog Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-41-739-7062 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [Format recovered--see http://www.lemis.com/email/email-format.html] On Wednesday, 24 March 1999 at 16:42:50 -0600, Sal wrote: > Help! I work for an ISP that uses BSD (although this probably has > nothing to do with the OS). We have made the appropriate settings to > sendmail to prevent relaying from anyone outside of our network and > our policies scream "no spamming!", yet someone is. > > The spamming has been going on and on for the past three or four > days. No need to say our support Email box has a few hundred angry > emails in it. We'd normally approach the abuser and take the > appropriate actions, but the problem is, we don't know who it is. > > The actual mailing process covers a couple of hours and when we > match up our Portmaster detail files with the IP addresses on the > samples of spam we've received, it's a different user every time! > The Email's the same, but the user is different. I don't believe we > have a coalition of a few dozen users doing this. I think someone is > bouncing the spam from these innocent users' connections to make it > appear as if the spam is coming from them. > > I'm not just looking for a fix, but a way to catch this guy. If > it's any help, our service covers five main towns and all the IP > addresses on these Email's come from the same city. > > I'd love to get any suggestions you have because the sysadmin is > pulling his hair out over this thing. My address is sal@intellex.com > and feel free to ask me for samples of the emails or whatever is > needed to get this problem solved. Thanks for your time and > brain-power. Well, I suppose the first thing to do is to take a look at the log messages and find out what's going on. It should be possible to stop this, but a lot depends on what exactly they're doing. From your description, it looks as if the spam is made to look as if it's coming from your domain. Oh, and I'd appreciate if you'd send lines of not more than 80 characters. It's a pain to read these one-line-per-paragraph messages. Greg -- When replying to this message, please copy the original recipients. For more information, see http://www.lemis.com/questions.html See complete headers for address, home page and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message